During the height of the pandemic last year, the CISO took on new prominence within organizations. Increased security risks and hasty technology rollouts resulted in a greater chance of exposure to breaches and leaks. CISOs were forced to respond by quickly instituting measures to maintain business continuity and protect against new cyberthreats. Still, at many organizations, the crucial executive role of the CISO reports to the CIO.
Unfortunately, CIOs often have ground to cover when it comes to truly understanding security risk factors and the tools, budget, and personnel needed to mitigate them. As a result, CISOs often find themselves in a weaker position when it comes to getting the resources and approvals they need. With the average tenure of a CISO lasting about two years or less because of the growing stress that comes with the job, CISOs must balance the stress by focusing on the value they’re providing to their business.
I strongly believe that for security to improve, companies need to take the following steps to elevate the role of the CISO:
- Make the CISO equal to the CIO.
Rather than having the CISO report to the CIO as many organizations do today, the two should operate as equal counterparts. CISOs and CIOs must work closely together to ensure that developments and rollouts are secure. There’s nothing that slows down the product development cycle more than when crucial security measures are ignored, forcing developers to backtrack and delay delivery. When the CISO and CIO work in tandem as equals, the organization will take security just as seriously as IT, development, and technology rollouts.
A recent KPMG CIO Survey found that 44% of CIOs and technology leaders expect significant changes to come to their products, service offerings, or even their business model in the next few years. CISOs and security teams need to support, not hinder, this business change. It’s important that security professionals think of themselves as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. Together, the CIO and CISO can ensure both parts of the business are striving toward the larger goal of a secure digital transformation.
- Shift organizational strategy and mentality.
With rising insider risks, an expanded threat landscape, and a remote or hybrid workforce, companies must take today’s security realities into account when setting an organization’s strategy. As a security leader, we don’t want to place overly aggressive security controls on everything. Today, for example, more than half (51%) of IT security leaders receive daily or weekly complaints about blocking employees’ legitimate work and file activity – an indication that blocking activities probably have gone too far. Try to tune the right level of security for the organization. Balance what the board, CEO and customers want and, at the same time, match the culture of the organization.
In a lot of cases, security leaders promote their own security risk posture ideals versus trying to truly understand the acceptable risk posture of the organization. But with the support of the CIO, a CISO can understand the ins and outs of the technology and tools rolled out to employees, and ensure that the tools are secure for a productive, collaborative culture.
- Help the CISO become a powerful change agent.
CISOs should deliver regular reports and presentations to the board about the overall risk to the business. Security has become a business-wide challenge today and companies should not ignore security or leave it out of board-level conversations. By empowering the CISO to take part in, and lead, these important discussions, they have the power to make essential changes. This can relate to the overall security strategy and budget, the way the security team works more closely with IT prior to technology deployments, or the trainings that are given to the entire organization.
A successful CISO has a clear understanding of their business, what the company delivers and where the company delivers it. Once the CISO understands the company’s operating parameters and develops a strong relationship with the CEO, the board and other important decision-makers, CISOs arrive at a really favorable position.
CISOs are consistently called “students of the business” and I’m a strong believer that we not only need to hone our technical expertise, but must constantly learn about the business. As the role of the CISO has changed and been elevated in the past year, we need to ensure we keep the trust we’ve earned in our organizations. Security has become a business-wide, board-level priority – it’s no longer an afterthought. CISOs must continue making security a priority, voicing our opinions, and pushing for the budgets and assets we need. It’s all possible when the CISO and CIO are fully aligned, equal, and committed to securing their organization.
Jadee Hanson, CIO and CISO, Code42